The vulnerabilities patched in Google’s Chrome 76 update may have been more severe than initially reported, based on a new advisory put out by the Center for Internet Security. The non-profit organization says that at least some of those that were fixed — with at least one deserving of a $10,000 finders reward — pose a serious threat to users.
In particular, the organization says that multiple vulnerabilities listed in Google’s update log allow for arbitrary code execution. The results of that could include up to the installation programs or the creation of new accounts. Would-be attackers could also exploit the vulnerabilities to look at, alter, or delete data.
More concerning, executing an attack would be relatively straightforward for a bad actor, the report posits. The user only needs to be in Chrome and visit a page designed to take advantage of the vulnerability. Worse, that can be instigated by a redirect from another page, potentially opening more avenues of attack.
Who is most at risk?
Based on the initial assessment of the vulnerabilities in question, the Center for Internet Security report highlights that homeowners aren’t actually at a high level of risk from the vulnerabilities. That’s not to say there is no risk there but those at the greatest risk are ‘large or medium’ government and business entities. A less severe risk is also present for smaller entities of the same types.
The risk here is that an entity would utilize the vulnerabilities in systems that haven’t yet been updated to gain access to sensitive information whether that’s official documents or business finances. Since the vulnerability could be used to do anything from installing malicious software — causing any number of further damages — to changing or stealing information to the benefit of the attacker.
Conversely, unauthorized changes to information carry the risk of causing large-scale problems outside of the digital world the attacks originate in.
What about Chrome OS?
The Center for Internet Security has explained that no exploitation seems to have occurred yet but the update to version 76 only just started rolling out yesterday to Android and desktop platforms — the organization says specifically that version number 76.0.3809.87 or newer is required to patch the problems. Updates can require days or even weeks to land on every user device.
Setting aside the gap between the vulnerabilities being documented and the eventual arrival of the update, the bigger elephant in the room now appears to be Chrome OS.
While the risks here don’t necessarily immediately impact home users, the operating system is used in educational institutions and increasingly by businesses, in addition to use by general consumers. That’s also not scheduled to receive a Stable Channel update until August 6 at the earliest, based on the Chrome release schedule published by Google.
Making matters worse, that isn’t a guaranteed date. Chrome 75, for example, didn’t arrive until several weeks after its expected rollout.
The organization is recommending that users take extra precautions against attacks that use the vulnerabilities by not running software or services with administrative privileges or as a privileged user. Visits to unfamiliar or untrusted websites should be limited as well, at least until the update has been applied.